T-Mobile has been ordered to pay a $33 million arbitration award following a SIM swap attack that resulted in the theft of $165 million in cryptocurrency in 2020. The settlement stems from a case where hackers gained unauthorized access to a customer’s phone and accounts without requiring security codes, marking another significant security incident for the telecommunications giant that has faced multiple breaches in recent years, including a major 2021 data breach affecting 76 million customers.
The arbitrator determined that T-Mobile violated the Federal Communications Act by failing to adequately protect the customer’s private information. The total settlement includes over $6.5 million in attorney fees and costs. The ruling comes as the FCC has implemented stricter regulations around SIM swap prevention and telecommunications security.
The case was brought by law firm Greenberg Glusker on behalf of their client. SIM swap attacks occur when malicious actors convince or trick mobile carriers into transferring a victim’s phone number to a new SIM card under the attacker’s control, enabling them to bypass security measures and gain access to accounts. According to recent FBI data, SIM swapping attacks caused over $48 million in losses during 2023 alone.
The arbitration outcome represents one of the largest settlements related to a SIM swap incident. The telecommunications industry has faced increasing scrutiny over SIM swap vulnerabilities, leading many carriers to implement additional verification procedures and security protocols to prevent unauthorized SIM transfers. The problem has become particularly severe in cryptocurrency-related theft, as demonstrated by recent high-profile cases including an attack on the SEC’s social media accounts.
Multi-factor authentication that does not rely solely on SMS-based verification has emerged as a recommended security practice to protect against SIM swap attacks. Security experts and federal agencies, including the FBI and CISA, strongly advise against using SMS-based two-factor authentication and recommend using authenticator apps or hardware security keys as more robust alternatives. The growing adoption of passkey technology represents a promising development in the fight against such authentication vulnerabilities.
Sources: Daily Journal, TMO Report, CISO Series
Follow Us